Skip to content

Open Source Dependencies

Criteria

All software library/framework dependencies of CATS must be available under a permissive open source license such as MIT, Apache, or BSD. This avoids the requirements that come with copyleft licenses like GPL that we make available to users any derived works, which CATS itself may qualify as. Some projects are available under both a permissive and a copyleft license simultaneously, and these may be used as we can chose to use them under the terms of the permissive license.

Before adding any dependency to the project, evaluate the project for the following criteria:

  • Is the repository well-formed with a README, license, contributing notes?
  • Is the package available under a permissive license? (i.e. MIT, BSD, or Apache)
  • Does the repository have a multitude of commits, stars, forks?
  • Does the repository have no aging issues or pull requests open that highlight serious issues with no active engagement from the maintainers?
  • Does the project enable CATS to externalize enough complexity to be economically worth the added risk of adding a dependency? If the project is trivial in complexity, consider replicating it into the CATS codebase instead if that can be done without violating any licensing (see the leftpad fiasco)
  • Is the project, among its alternatives, the most aligned with the CATS project’s existing patterns and foundational dependencies, and built against the latest generation of ecosystem patterns?

Forking

Dependencies may be forked from time to time to fix bugs or contribute features, when it is determined that doing so is the most economic strategy to achieve a goal for the CATS project. When forking a dependency, fork it into a personal or our own team’s GitHub account rather than the IndeVets organization, unless there is an intent for IndeVets to maintain the fork on a long-term basis. It should always be the goal to open pull requests and get fixes or features merged into upstream projects as quickly as possible. Maintaining a forked repository is a costly burden to do responsibly, and links to unofficial forks of packages left within the CATS project are a continuity/stability hazard.

Official forks

laravel-quickbooks

The LifeOnScreen/laravel-quickbooks package provides a reusable way to idiomatically consume the official QuickBooks PHP SDK distributed by Intuit from within the proper lifecycle of a Laravel application. The package is low in complexity and code footprint serving only as an adapter between the general-purpose QuickBooks SDK that can be consumed from any PHP application, and the proper patterns/conventions for consuming such a service within a Laravel application.

Jarvus Innovations has maintained a fork with a number of fixes and new features integrated since before the IndeVets CATS project began. Pull requests have been opened by Jarvus and others to integrate these changes back into the project, but the project’s owners have not responded to any. The unofficial Jarvus fork of the repository is currently used as a dependency of CATS and other Laravel projects Jarvus services as a place to integrate all pending changes together. Jarvus has announced an intention to fork the project, which was published under the MIT license, and has received some community support. Forking the project will enable Jarvus to take on reviewing and accepting community contributions and to provide consuming projects a long-term stable URL to pull a maintained distribution from.

2021-10-19 Update

This fork has been created and now resides at https://github.com/JarvusInnovations/laravel-quickbooks

License auditing

Frontend analysis

Frontend dependencies are tracked in package.json and can be analyzed with the NPM tool license-checker:

npm install -g license-checker
npx license-checker > npm-report.txt

grep 'licenses:' .scratch/licenses-npm | sed 's/^[^:]*:\s*//;s/\s*$//' | sort | uniq -c | sort -bgr | awk '{printf "- (%s)",$1; $1=""; printf "%s\n",$0}'

Backend analysis

Backend dependencies are tracked in composer.json and can be analyzed with the Composer tool composer-license-checker:

composer global require dominikb/composer-license-checker
composer exec composer-license-checker report > composer-report.txt

grep 'Count' composer-report.txt | awk '{printf "%s %s\n",$2,$4}' | sort -bgr | awk '{printf "- (%s) %s\n",$1,$2}'

Results

These are the results of license scans as of: 2021-09-01

Frontend results

  • (1440) MIT
  • (141) ISC
  • (48) BSD-3-Clause
  • (40) BSD-2-Clause
  • (34) Apache-2.0
  • (11) MIT*
  • (3) (MIT OR CC0-1.0)
  • (3) Custom: http://npm-stat.com/charts.html
  • (3) CC0-1.0
  • (3) BSD*
  • (2) (WTFPL OR MIT)
  • (2) Unlicense
  • (2) 0BSD
  • (1) WTFPL
  • (1) MPL-2.0
  • (1) (MIT OR Apache-2.0)
  • (1) (MIT AND Zlib)
  • (1) (MIT AND BSD-3-Clause)
  • (1) (GPL-2.0 OR MIT)
  • (1) Custom: https://nguyenvanduocit.github.io/vue-loading-spinner/
  • (1) Custom: https://github.com/tmcw/jsonlint
  • (1) Custom: https://github.com/RIAEvangelist/easy-stack
  • (1) (CC-BY-4.0 AND OFL-1.1 AND MIT)
  • (1) CC-BY-4.0
  • (1) CC-BY-3.0
  • (1) BSD-3-Clause OR MIT
  • (1) (BSD-3-Clause OR GPL-2.0)
  • (1) BSD
  • (1) Apache 2.0
  • (1) Apache*

Backend results

  • (147) MIT
  • (28) BSD-3-Clause
  • (5) Apache-2.0
  • (1) BSD-2-Clause